From 30920115b3d3f7df3b60a9cdc3826c83176ebaa9 Mon Sep 17 00:00:00 2001 From: Jelle Dekker Date: Fri, 22 Sep 2017 02:46:52 -0500 Subject: [PATCH 1/3] Implemented that a Certificate Revocation List is generated during installation after generation of other Public Key Infrastructure. Enabled this CRL in the server config. The added benefit of this is that whenever the user now revokes a client, the change is instant. Whereas before, the first time a client was revoked, the OpenVPN server had to be restarted to enabled the then-newly-generated CRL. This change also makes the file /etc/pivpn/REVOKE_STATUS obsolete. Documentation: https://openvpn.net/index.php/open-source/documentation/howto.html#revoke --- auto_install/install.sh | 9 +++++---- scripts/removeOVPN.sh | 16 ---------------- server_config.txt | 2 +- 3 files changed, 6 insertions(+), 21 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 33ca2a4..7783986 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -884,6 +884,11 @@ EOF # Generate static HMAC key to defend against DDoS ${SUDOE} openvpn --genkey --secret pki/ta.key + # Generate an empty Certificate Revocation List + ${SUDOE} ./easyrsa gen-crl + cp pki/crl.pem /etc/openvpn/crl.pem + chown nobody:nogroup /etc/openvpn/crl.pem + # Write config file for server using the template .txt file $SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf @@ -992,10 +997,6 @@ confOVPN() { $SUDO cp /tmp/pivpnUSR /etc/pivpn/INSTALL_USER $SUDO cp /tmp/DET_PLATFORM /etc/pivpn/DET_PLATFORM - # Set status that no certs have been revoked - echo 0 > /tmp/REVOKE_STATUS - $SUDO cp /tmp/REVOKE_STATUS /etc/pivpn/REVOKE_STATUS - $SUDO cp /etc/.pivpn/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt if [[ ${useUpdateVars} == false ]]; then diff --git a/scripts/removeOVPN.sh b/scripts/removeOVPN.sh index 4e3515c..3200a55 100644 --- a/scripts/removeOVPN.sh +++ b/scripts/removeOVPN.sh @@ -105,22 +105,6 @@ fi cd /etc/openvpn/easy-rsa || exit -if [ "${REVOKE_STATUS}" == 0 ]; then - echo 1 > /etc/pivpn/REVOKE_STATUS - printf "\nThis seems to be the first time you have revoked a cert.\n" - printf "First we need to initialize the Certificate Revocation List.\n" - printf "Then add the CRL to your server config and restart openvpn.\n" - ./easyrsa gen-crl - cp pki/crl.pem /etc/openvpn/crl.pem - chown nobody:nogroup /etc/openvpn/crl.pem - sed -i '/#crl-verify/c\crl-verify /etc/openvpn/crl.pem' /etc/openvpn/server.conf - if [[ ${PLAT} == "Ubuntu" || ${PLAT} == "Debian" ]]; then - service openvpn restart - else - systemctl restart openvpn.service - fi -fi - for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do printf "\n::: Revoking certificate '"%s"'.\n" "${CERTS_TO_REVOKE[ii]}" ./easyrsa --batch revoke "${CERTS_TO_REVOKE[ii]}" diff --git a/server_config.txt b/server_config.txt index 70625e7..035a3ed 100644 --- a/server_config.txt +++ b/server_config.txt @@ -34,7 +34,7 @@ user nobody group nogroup persist-key persist-tun -#crl-verify /etc/openvpn/crl.pem +crl-verify /etc/openvpn/crl.pem status /var/log/openvpn-status.log 20 status-version 3 log /var/log/openvpn.log From 077996cfb48dd23fe00415fd800c31889c61233c Mon Sep 17 00:00:00 2001 From: Jelle Dekker Date: Sat, 23 Sep 2017 11:21:26 -0500 Subject: [PATCH 2/3] Removed an obsolete variable. --- scripts/removeOVPN.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts/removeOVPN.sh b/scripts/removeOVPN.sh index 3200a55..6bf0610 100644 --- a/scripts/removeOVPN.sh +++ b/scripts/removeOVPN.sh @@ -2,7 +2,6 @@ # PiVPN: revoke client script INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER) -REVOKE_STATUS=$(cat /etc/pivpn/REVOKE_STATUS) PLAT=$(cat /etc/pivpn/DET_PLATFORM) INDEX="/etc/openvpn/easy-rsa/pki/index.txt" From f5c05715de2e1a6bd389cac56b63ad91ad9c8e39 Mon Sep 17 00:00:00 2001 From: Jelle Dekker Date: Sat, 23 Sep 2017 14:35:46 -0500 Subject: [PATCH 3/3] Added sudo -E. --- auto_install/install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 7783986..4ecf624 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -886,8 +886,8 @@ EOF # Generate an empty Certificate Revocation List ${SUDOE} ./easyrsa gen-crl - cp pki/crl.pem /etc/openvpn/crl.pem - chown nobody:nogroup /etc/openvpn/crl.pem + ${SUDOE} cp pki/crl.pem /etc/openvpn/crl.pem + ${SUDOE} chown nobody:nogroup /etc/openvpn/crl.pem # Write config file for server using the template .txt file $SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf